Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 21:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
107a3bf0e5a0a1cd04de670a8ca45ecb.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
107a3bf0e5a0a1cd04de670a8ca45ecb.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
107a3bf0e5a0a1cd04de670a8ca45ecb.exe
-
Size
148KB
-
MD5
107a3bf0e5a0a1cd04de670a8ca45ecb
-
SHA1
544b794055c7f8973dfac0a90c04a11a906318be
-
SHA256
4a43564fe40c28126b56a510d952de67f63b6b18ad78100665a05ec9c4ada1f1
-
SHA512
62ce7910647d531577d4a86b2ddb525a2e2f2923aaf26be6c5d8603feb5a76503ced81b0a6837f75bdb1ce30dc6e1f2f7c0b08f8f3f9ba49a9218097e5427e58
-
SSDEEP
3072:UBVSWwlmoEhY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:U3fwfEhKOdzOdkOdezOd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cllpkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbgmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnemdecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogblbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpnojioo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemejc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaceodek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdjbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alenki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Begeknan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpjlajk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkeimlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfbogcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najdnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anafhopc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqcif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbeknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghoegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noqamn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcofe32.exe -
Executes dropped EXE 64 IoCs
pid Process 1988 Pbpjiphi.exe 2084 Qhmbagfa.exe 2640 Qnfjna32.exe 2604 Qdccfh32.exe 2580 Qljkhe32.exe 2616 Qnigda32.exe 2092 Qecoqk32.exe 1464 Ankdiqih.exe 2748 Aplpai32.exe 2236 Ajbdna32.exe 1940 Ampqjm32.exe 2172 Ajdadamj.exe 1244 Alenki32.exe 2288 Abpfhcje.exe 2284 Amejeljk.exe 2132 Apcfahio.exe 1320 Ailkjmpo.exe 2972 Bpfcgg32.exe 2404 Bagpopmj.exe 2960 Blmdlhmp.exe 2848 Bokphdld.exe 2368 Bkaqmeah.exe 2832 Begeknan.exe 900 Bghabf32.exe 2192 Bopicc32.exe 1620 Banepo32.exe 3036 Bdlblj32.exe 2716 Bkfjhd32.exe 2796 Bnefdp32.exe 2632 Baqbenep.exe 2440 Bcaomf32.exe 2948 Ccdlbf32.exe 1700 Cjndop32.exe 2528 Cllpkl32.exe 1064 Cphlljge.exe 1072 Cjpqdp32.exe 1604 Chcqpmep.exe 1844 Comimg32.exe 2296 Cciemedf.exe 2316 Chemfl32.exe 1684 Ckdjbh32.exe 856 Cckace32.exe 1040 Cbnbobin.exe 2752 Chhjkl32.exe 3056 Ckffgg32.exe 1784 Cndbcc32.exe 2792 Dbpodagk.exe 2000 Ddokpmfo.exe 1768 Dkhcmgnl.exe 2216 Dngoibmo.exe 2940 Dqelenlc.exe 2600 Djnpnc32.exe 2712 Dbehoa32.exe 2700 Ddcdkl32.exe 2612 Dgaqgh32.exe 2728 Dnlidb32.exe 2508 Dmoipopd.exe 2224 Ddeaalpg.exe 280 Dfgmhd32.exe 1648 Dmafennb.exe 1652 Dgfjbgmh.exe 2320 Emcbkn32.exe 2812 Epaogi32.exe 588 Ebpkce32.exe -
Loads dropped DLL 64 IoCs
pid Process 808 107a3bf0e5a0a1cd04de670a8ca45ecb.exe 808 107a3bf0e5a0a1cd04de670a8ca45ecb.exe 1988 Pbpjiphi.exe 1988 Pbpjiphi.exe 2084 Qhmbagfa.exe 2084 Qhmbagfa.exe 2640 Qnfjna32.exe 2640 Qnfjna32.exe 2604 Qdccfh32.exe 2604 Qdccfh32.exe 2580 Qljkhe32.exe 2580 Qljkhe32.exe 2616 Qnigda32.exe 2616 Qnigda32.exe 2092 Qecoqk32.exe 2092 Qecoqk32.exe 1464 Ankdiqih.exe 1464 Ankdiqih.exe 2748 Aplpai32.exe 2748 Aplpai32.exe 2236 Ajbdna32.exe 2236 Ajbdna32.exe 1940 Ampqjm32.exe 1940 Ampqjm32.exe 2172 Ajdadamj.exe 2172 Ajdadamj.exe 1244 Alenki32.exe 1244 Alenki32.exe 2288 Abpfhcje.exe 2288 Abpfhcje.exe 2284 Amejeljk.exe 2284 Amejeljk.exe 2132 Apcfahio.exe 2132 Apcfahio.exe 1320 Ailkjmpo.exe 1320 Ailkjmpo.exe 2972 Bpfcgg32.exe 2972 Bpfcgg32.exe 2404 Bagpopmj.exe 2404 Bagpopmj.exe 2960 Blmdlhmp.exe 2960 Blmdlhmp.exe 2848 Bokphdld.exe 2848 Bokphdld.exe 2368 Bkaqmeah.exe 2368 Bkaqmeah.exe 2832 Begeknan.exe 2832 Begeknan.exe 900 Bghabf32.exe 900 Bghabf32.exe 2192 Bopicc32.exe 2192 Bopicc32.exe 1620 Banepo32.exe 1620 Banepo32.exe 3036 Bdlblj32.exe 3036 Bdlblj32.exe 2716 Bkfjhd32.exe 2716 Bkfjhd32.exe 2796 Bnefdp32.exe 2796 Bnefdp32.exe 2632 Baqbenep.exe 2632 Baqbenep.exe 2440 Bcaomf32.exe 2440 Bcaomf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Emkaol32.exe Ejmebq32.exe File opened for modification C:\Windows\SysWOW64\Bnefdp32.exe Bkfjhd32.exe File created C:\Windows\SysWOW64\Elmigj32.exe Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Lfjqnjkh.exe Lckdanld.exe File opened for modification C:\Windows\SysWOW64\Ceaadk32.exe Cnkicn32.exe File created C:\Windows\SysWOW64\Enbfpg32.dll Pdaoog32.exe File created C:\Windows\SysWOW64\Qmfgjh32.exe Pjhknm32.exe File opened for modification C:\Windows\SysWOW64\Abmbhn32.exe Anafhopc.exe File created C:\Windows\SysWOW64\Nnfbei32.dll Dhbfdjdp.exe File opened for modification C:\Windows\SysWOW64\Epaogi32.exe Emcbkn32.exe File opened for modification C:\Windows\SysWOW64\Hlhaqogk.exe Henidd32.exe File created C:\Windows\SysWOW64\Lajhofao.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Olpdjf32.exe Ofelmloo.exe File created C:\Windows\SysWOW64\Kifjcn32.dll Fddmgjpo.exe File created C:\Windows\SysWOW64\Dbnkge32.dll Gmgdddmq.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Emnndlod.exe File created C:\Windows\SysWOW64\Dbkknojp.exe Dlnbeh32.exe File created C:\Windows\SysWOW64\Pnlilc32.dll Lbqabkql.exe File created C:\Windows\SysWOW64\Gmndnn32.dll Mhbped32.exe File opened for modification C:\Windows\SysWOW64\Ndkmpe32.exe Namqci32.exe File opened for modification C:\Windows\SysWOW64\Ogblbo32.exe Oddpfc32.exe File created C:\Windows\SysWOW64\Milokblc.dll Pkpagq32.exe File created C:\Windows\SysWOW64\Aehboi32.exe Aamfnkai.exe File created C:\Windows\SysWOW64\Cklmgb32.exe Chnqkg32.exe File opened for modification C:\Windows\SysWOW64\Dmlphhec.dll Mgqcmlgl.exe File opened for modification C:\Windows\SysWOW64\Naajoinb.exe Nocnbmoo.exe File opened for modification C:\Windows\SysWOW64\Npfgpe32.exe Nnhkcj32.exe File created C:\Windows\SysWOW64\Ojcecjee.exe Ofhick32.exe File created C:\Windows\SysWOW64\Gmgdddmq.exe Glfhll32.exe File opened for modification C:\Windows\SysWOW64\Mggpgmof.exe Ldidkbpb.exe File created C:\Windows\SysWOW64\Mggpgmof.exe Mggpgmof.exe File created C:\Windows\SysWOW64\Dcdooi32.dll Fdapak32.exe File opened for modification C:\Windows\SysWOW64\Pcnbablo.exe Ppbfpd32.exe File created C:\Windows\SysWOW64\Dcadac32.exe Dpbheh32.exe File created C:\Windows\SysWOW64\Dbpodagk.exe Cndbcc32.exe File created C:\Windows\SysWOW64\Ogjbla32.dll Eiomkn32.exe File created C:\Windows\SysWOW64\Dqehhb32.dll Mdkqqa32.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Ppbfpd32.exe File opened for modification C:\Windows\SysWOW64\Ekholjqg.exe Emeopn32.exe File opened for modification C:\Windows\SysWOW64\Kcdnao32.exe Kafbec32.exe File created C:\Windows\SysWOW64\Efaibbij.exe Edpmjj32.exe File created C:\Windows\SysWOW64\Fgdqfpma.dll Cllpkl32.exe File opened for modification C:\Windows\SysWOW64\Feeiob32.exe Fddmgjpo.exe File created C:\Windows\SysWOW64\Gffoia32.dll Jicgpb32.exe File created C:\Windows\SysWOW64\Npdjje32.exe Naajoinb.exe File created C:\Windows\SysWOW64\Afldcl32.dll Kgkafo32.exe File opened for modification C:\Windows\SysWOW64\Mkeimlfm.exe Mhgmapfi.exe File opened for modification C:\Windows\SysWOW64\Nefpnhlc.exe Najdnj32.exe File created C:\Windows\SysWOW64\Haloha32.dll Bekkcljk.exe File created C:\Windows\SysWOW64\Fbbecd32.dll Npdjje32.exe File created C:\Windows\SysWOW64\Dkjgaecj.dll Aemkjiem.exe File created C:\Windows\SysWOW64\Lklohbmo.dll Cjfccn32.exe File created C:\Windows\SysWOW64\Ekklaj32.exe Emhlfmgj.exe File created C:\Windows\SysWOW64\Njgcpp32.dll Geolea32.exe File created C:\Windows\SysWOW64\Omabcb32.dll Ghoegl32.exe File created C:\Windows\SysWOW64\Blleofcd.dll Lecgje32.exe File opened for modification C:\Windows\SysWOW64\Najdnj32.exe Nolhan32.exe File opened for modification C:\Windows\SysWOW64\Cadhnmnm.exe Biicik32.exe File created C:\Windows\SysWOW64\Nopodm32.dll Facdeo32.exe File created C:\Windows\SysWOW64\Icpigm32.exe Incpoe32.exe File created C:\Windows\SysWOW64\Qpgpkcpp.exe Qimhoi32.exe File created C:\Windows\SysWOW64\Eibbcm32.exe Efcfga32.exe File created C:\Windows\SysWOW64\Pmanoifd.exe Pmanoifd.exe File opened for modification C:\Windows\SysWOW64\Dfgmhd32.exe Ddeaalpg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4692 4604 WerFault.exe 437 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmabnaj.dll" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbgljdk.dll" Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll" Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilknfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjadmnic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meagci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okikfagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimpgolj.dll" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojgnpb.dll" Aplpai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfbfnk.dll" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbecd32.dll" Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkddcl32.dll" Pbfpik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkafj32.dll" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjfccn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elmigj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkclhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bekkcljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjgoce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdklej32.dll" Lfjqnjkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgdod32.dll" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqkmjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjbaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ailkjmpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfmihf.dll" Jfekcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpdjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkjnkib.dll" Pggbla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abmbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclpan32.dll" Kaaijdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbqabkql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlcgibn.dll" Inqcif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll" Ekelld32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 808 wrote to memory of 1988 808 107a3bf0e5a0a1cd04de670a8ca45ecb.exe 28 PID 808 wrote to memory of 1988 808 107a3bf0e5a0a1cd04de670a8ca45ecb.exe 28 PID 808 wrote to memory of 1988 808 107a3bf0e5a0a1cd04de670a8ca45ecb.exe 28 PID 808 wrote to memory of 1988 808 107a3bf0e5a0a1cd04de670a8ca45ecb.exe 28 PID 1988 wrote to memory of 2084 1988 Pbpjiphi.exe 29 PID 1988 wrote to memory of 2084 1988 Pbpjiphi.exe 29 PID 1988 wrote to memory of 2084 1988 Pbpjiphi.exe 29 PID 1988 wrote to memory of 2084 1988 Pbpjiphi.exe 29 PID 2084 wrote to memory of 2640 2084 Qhmbagfa.exe 30 PID 2084 wrote to memory of 2640 2084 Qhmbagfa.exe 30 PID 2084 wrote to memory of 2640 2084 Qhmbagfa.exe 30 PID 2084 wrote to memory of 2640 2084 Qhmbagfa.exe 30 PID 2640 wrote to memory of 2604 2640 Qnfjna32.exe 31 PID 2640 wrote to memory of 2604 2640 Qnfjna32.exe 31 PID 2640 wrote to memory of 2604 2640 Qnfjna32.exe 31 PID 2640 wrote to memory of 2604 2640 Qnfjna32.exe 31 PID 2604 wrote to memory of 2580 2604 Qdccfh32.exe 32 PID 2604 wrote to memory of 2580 2604 Qdccfh32.exe 32 PID 2604 wrote to memory of 2580 2604 Qdccfh32.exe 32 PID 2604 wrote to memory of 2580 2604 Qdccfh32.exe 32 PID 2580 wrote to memory of 2616 2580 Qljkhe32.exe 33 PID 2580 wrote to memory of 2616 2580 Qljkhe32.exe 33 PID 2580 wrote to memory of 2616 2580 Qljkhe32.exe 33 PID 2580 wrote to memory of 2616 2580 Qljkhe32.exe 33 PID 2616 wrote to memory of 2092 2616 Qnigda32.exe 34 PID 2616 wrote to memory of 2092 2616 Qnigda32.exe 34 PID 2616 wrote to memory of 2092 2616 Qnigda32.exe 34 PID 2616 wrote to memory of 2092 2616 Qnigda32.exe 34 PID 2092 wrote to memory of 1464 2092 Qecoqk32.exe 35 PID 2092 wrote to memory of 1464 2092 Qecoqk32.exe 35 PID 2092 wrote to memory of 1464 2092 Qecoqk32.exe 35 PID 2092 wrote to memory of 1464 2092 Qecoqk32.exe 35 PID 1464 wrote to memory of 2748 1464 Ankdiqih.exe 36 PID 1464 wrote to memory of 2748 1464 Ankdiqih.exe 36 PID 1464 wrote to memory of 2748 1464 Ankdiqih.exe 36 PID 1464 wrote to memory of 2748 1464 Ankdiqih.exe 36 PID 2748 wrote to memory of 2236 2748 Aplpai32.exe 37 PID 2748 wrote to memory of 2236 2748 Aplpai32.exe 37 PID 2748 wrote to memory of 2236 2748 Aplpai32.exe 37 PID 2748 wrote to memory of 2236 2748 Aplpai32.exe 37 PID 2236 wrote to memory of 1940 2236 Ajbdna32.exe 38 PID 2236 wrote to memory of 1940 2236 Ajbdna32.exe 38 PID 2236 wrote to memory of 1940 2236 Ajbdna32.exe 38 PID 2236 wrote to memory of 1940 2236 Ajbdna32.exe 38 PID 1940 wrote to memory of 2172 1940 Ampqjm32.exe 39 PID 1940 wrote to memory of 2172 1940 Ampqjm32.exe 39 PID 1940 wrote to memory of 2172 1940 Ampqjm32.exe 39 PID 1940 wrote to memory of 2172 1940 Ampqjm32.exe 39 PID 2172 wrote to memory of 1244 2172 Ajdadamj.exe 40 PID 2172 wrote to memory of 1244 2172 Ajdadamj.exe 40 PID 2172 wrote to memory of 1244 2172 Ajdadamj.exe 40 PID 2172 wrote to memory of 1244 2172 Ajdadamj.exe 40 PID 1244 wrote to memory of 2288 1244 Alenki32.exe 41 PID 1244 wrote to memory of 2288 1244 Alenki32.exe 41 PID 1244 wrote to memory of 2288 1244 Alenki32.exe 41 PID 1244 wrote to memory of 2288 1244 Alenki32.exe 41 PID 2288 wrote to memory of 2284 2288 Abpfhcje.exe 42 PID 2288 wrote to memory of 2284 2288 Abpfhcje.exe 42 PID 2288 wrote to memory of 2284 2288 Abpfhcje.exe 42 PID 2288 wrote to memory of 2284 2288 Abpfhcje.exe 42 PID 2284 wrote to memory of 2132 2284 Amejeljk.exe 43 PID 2284 wrote to memory of 2132 2284 Amejeljk.exe 43 PID 2284 wrote to memory of 2132 2284 Amejeljk.exe 43 PID 2284 wrote to memory of 2132 2284 Amejeljk.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\107a3bf0e5a0a1cd04de670a8ca45ecb.exe"C:\Users\Admin\AppData\Local\Temp\107a3bf0e5a0a1cd04de670a8ca45ecb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe33⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe34⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe36⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe37⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe38⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe39⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe40⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe41⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe44⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe46⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe48⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe49⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe50⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe51⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe52⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe54⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe56⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe57⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe58⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe60⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe62⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe65⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe66⤵
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe67⤵PID:2412
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe68⤵PID:2088
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe69⤵PID:3044
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe70⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe71⤵PID:1328
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe72⤵PID:2636
-
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe73⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe74⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe75⤵PID:2624
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe76⤵PID:2348
-
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe77⤵PID:2744
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe78⤵
- Modifies registry class
PID:292 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe79⤵PID:1944
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe80⤵PID:2340
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe81⤵
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe82⤵PID:1976
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe83⤵PID:580
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe84⤵PID:792
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe85⤵PID:2680
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe86⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe87⤵PID:2920
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:992 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe89⤵PID:2024
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe90⤵PID:1972
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe91⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe92⤵
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe93⤵PID:2196
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe94⤵PID:2492
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe95⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe96⤵PID:1884
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe97⤵PID:1932
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe98⤵PID:1304
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe99⤵PID:2308
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe100⤵PID:324
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe101⤵PID:448
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe102⤵PID:1388
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe103⤵PID:2056
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe104⤵PID:304
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe106⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe107⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe109⤵PID:1640
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe110⤵PID:1036
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe111⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe113⤵PID:540
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe114⤵PID:1044
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe115⤵PID:2776
-
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe116⤵PID:2360
-
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe117⤵PID:1732
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe118⤵PID:2548
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe119⤵PID:2388
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe120⤵PID:1704
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe121⤵PID:2860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-